You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Virtumonde And Other Problems

Have an instance of Virtumonde that I can't get rid of, in addition to some other bratty program that redirects me to websites every time I use internet explorer (such as learning4.com) IE also closes and aborts almost every time I load it.

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Save it to your desktop as fix133.reg and as Type "All files"Double click on fix133.reg and allow when prompted to let it merge with the registry.

Run ATF Cleaner:Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.

Run OTMoveIt:

Please double-clickOTMoveIt.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

c:\program files\Need2Find c:\windows\cdmxtras

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.

Click the red Moveit! button.

Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.

Close OTMoveIt

(If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.If you are asked to reboot the machine choose Yes.)Click the red Moveit! button. Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

Reboot into Normal Mode.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:

Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.

Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.

Once the short scan has finished, Click Options > Change settings

Choose the "Scan tab" and UNcheck "Heuristic analysis"

Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)

Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.

When done, a message will be displayed at the bottom advising if any viruses were found.

Click "Yes to all" if it asks if you want to cure/move the file.

When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)

Hi there - things seem to be running much better. I can't thank you enough. You mentioned that the important thing is not letting this happen again. I posted again recently asking what Virus and Spyware protection you think are really good and do the job. What do you think I should be doing daily/weekly, etc.. to keep myself protected?

You mentioned that the important thing is not letting this happen again. I posted again recently asking what Virus and Spyware protection you think are really good and do the job. What do you think I should be doing daily/weekly, etc.. to keep myself protected?

I'll post some more advice below, but just for basics make sure you do a weekly anti-virus scan, have a firewall and at least one good anti-malware scanner. (Like AVG-AntiSpyware)

Run OTMoveIt

Click the green "CleanUp!" button.

If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the Internet, you should allow it to do so.

In the left pane, it will display a list of tools and other related files that you may have downloaded or used during our cleanup process, plus backup folders that were created with the bad files present. These are not needed anymore, so OTMoveIt will proceed to delete them.

Do NOT edit anything in that window!

Don't worry if it displays some tools you didn't download or use.

Click "Yes" when it asks to begin the cleanup process.

Then, please reboot your computer.

You may remove all the tools that we had you download for the analysis and cleaning process. They are no longer needed.

Congratulations, your computer is now clean of malware!

Let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.UN-Check Turn off System Restore.Click Apply, and then click OK.System Restore will now be active again.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.

Click once on the Security tab

Click once on the Internet icon so it becomes highlighted.

Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

IE/Spyad<=IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.

MVPS Hosts file<=The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer

Google Toolbar<=Get the free google toolbar to help stop pop up windows.

This is great information. Thanks. I did notice one thing - when the computer became infected, my actual monitor screen began to blink erratically, like it was dying. As we were cleaning the computer up. all of the blinking stopped. Today I ran Spybot S &D and Ad Aware and now the blinking has begun again. Any relevance??

This is great information. Thanks. I did notice one thing - when the computer became infected, my actual monitor screen began to blink erratically, like it was dying. As we were cleaning the computer up. all of the blinking stopped. Today I ran Spybot S &D and Ad Aware and now the blinking has begun again. Any relevance??

That sounds like your monitor might be going bad, it was probably just coincidence that it briefly stopped doing that when we were cleaning your computer. It's also possible I suppose, that some of the drivers for your monitor got corrupted by the malware, if this only started happening after you got infected?